Gov’t Adds Open Source Security to Software Supply Chain
The federal government is stepping up to protect the software supply chain. Last year, president Biden signed an executive order to improve national cybersecurity and bring better protection to federal government networks. In September, the Senate introduced legislation called the Securing Open Source Software Act of 2022, stating, in part, that “the federal government should play a supporting role in ensuring the long-term security of open source software.”
This action is necessary because the software supply chain has emerged as a common attack vector, according to Jim Kelly, RVP, Endpoint Security at Tanium.
Recognizing just how vital open source security is to the success of the software supply chain is a positive move by the government, but for it to work, organizations across the public and private sector need to step up and do their part by following the frameworks established.
“E-companies that use open source software repositories will need to be cautious to ensure they understand both what they are deploying and are taking inventory thorough a ‘Software Bill of Materials’ process to be better equipped to identify and remediate when malicious or suspicious payloads arise,” said Kelly.
But to secure the supply chain, first organizations need to understand the role of open source and the need for improving its security.
Importance of Open Source Security
Open source components are everywhere, with the vast majority of software applications using some open source code, in some cases up to 80% or more.
And, of course, this doesn’t stop at the application level, Varun Badhwar, CEO and co-founder at Endor Labs, pointed out.
“The industry’s dependency on open source continues down the stack, e.g., operating systems or container technologies,” Badhwar said in an email interview. “And it continues along the entire development life cycle, for example, integrated development environments (IDEs), compilers or build tools.”
The increasing dependence on open source code within the software supply chain makes it a compelling target for threat actors. “The combined attack surface of thousands of open source projects is much bigger than that of a given vendor’s development infrastructure,” said Badhwar. “And attacking upstream open source projects also has the considerable advantage of spreading out to potentially many downstream consumers: If an attacker gets lucky and is able to inject malware into a highly successful open source project, thousands of direct and indirect downstream users can be infected in a snap.”
How The Frameworks Will Impact Security
So much of our software relies on open source code that no one is getting paid to maintain. “Fundamentally, there is only so much that you can regulate when it comes to volunteer effort; that’s really only on companies and governments as to how they use it,” said John Bambenek, principal threat hunter at Netenrich.
Bambenek said the biggest thing organizations can do is make sure their developers are using trusted repositories for libraries, that those libraries are inventoried and that someone is on the hook to look for updates and patches. Badhwar pointed out that software suppliers need to better understand the code going into their applications.
According to Badhwar, software suppliers should be able to answer some basic questions, such as:
• Who’s been maintaining the code?
• Are they active?
• Do the packages get regular updates?
• Are they reused frequently?
• Have they been tested and found to be secure since the last update?
“This is why, to effectively secure the supply chain, businesses must carefully select and evaluate the dependencies they use–not just when including them for the first time, but continuously,” said Badhwar. “This can help ascertain whether a given project is actively maintained, or has reached end-of-life status. That will also help identify projects that will have security fixes.”
Open source software and projects are becoming a greater risk to organizations as these tools are being leveraged more in software development, said Ben Pick, principal cybersecurity consultant at nVisium, in an email comment.
“The layers of dependencies for the projects have become a major issue due to the increases in security risks,” Pick added. “This can be challenging, as a single piece of open source software can exponentially reference multiple dependencies. Thus, an attacker would only need to target and compromise one of the many open source projects in a pipeline to cause considerable harm.”
Hopefully, through legislation and government frameworks, organizations will be more inclined—or legally required—to do more on their end to address the risks open source presents to the software supply chain.
